gwg313/homelab-gitops
1
0
Fork 0
mirror of https://github.com/gwg313/homelab-gitops.git synced 2026-06-05 20:50:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: gwg313:bbbb96bd6a6fd40c4a9df6ab58511325b63bc42a
Branches Tags
gwg313:main
...
compare: gwg313:8ca8f0b8ea28dc4019663719d5863f4dc02ad491
Branches Tags
gwg313:main

2 commits
bbbb96bd6a ... 8ca8f0b8ea

Author SHA1 Message Date
gwg313
8ca8f0b8ea
add harbor 
Signed-off-by: gwg313 <gwg313@pm.me>
 2026-05-19 14:26:06 -04:00
gwg313
d8e2543152
add audiobookshelf 
Signed-off-by: gwg313 <gwg313@pm.me>
 2026-05-19 12:41:13 -04:00
68 changed files with 418 additions and 1122 deletions
Download patch file Download diff file Expand all files Collapse all files

31
audiobookshelf/deployment.yaml → apps/audiobookshelf/deployment.yaml
View file

@ -1,8 +1,3 @@
apiVersion: v1
kind: Namespace
metadata:
name: audiobookshelf
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -22,7 +17,7 @@ spec:
spec: spec:
containers: containers:
- name: audiobookshelf - name: audiobookshelf
image: ghcr.io/advplyr/audiobookshelf:latest image: ghcr.io/advplyr/audiobookshelf:2.35.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 80 - containerPort: 80
@ -31,6 +26,15 @@ spec:
env: env:
- name: TZ - name: TZ
value: "America/Toronto" value: "America/Toronto"
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumeMounts: volumeMounts:
- name: audiobooks-volume - name: audiobooks-volume
mountPath: /audiobooks mountPath: /audiobooks
@ -53,18 +57,3 @@ spec:
- name: metadata-volume - name: metadata-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: audiobookshelf-metadata claimName: audiobookshelf-metadata
---
apiVersion: v1
kind: Service
metadata:
name: audiobookshelf-svc
namespace: audiobookshelf
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http # References the named string 'http' from the containerPort map
protocol: TCP
selector:
app: audiobookshelf

0
audiobookshelf/iscsi-secrets-sealed.yaml → apps/audiobookshelf/iscsi-secrets-sealed.yaml
View file

62
apps/audiobookshelf/network-policies.yaml Normal file
View file

@ -0,0 +1,62 @@
# ----------------------------------------------------
# Ingress only from Gateway API
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: audiobookshelf
spec:
endpointSelector:
matchLabels:
app: audiobookshelf
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "80"
protocol: TCP
---
# ----------------------------------------------------
# audible access (cover art, metadata)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-audible
namespace: audiobookshelf
spec:
endpointSelector:
matchLabels:
app: audiobookshelf
egress:
- toFQDNs:
- matchName: audible.com
toPorts:
- ports:
- port: "443"
protocol: TCP
# ----------------------------------------------------
# OPTIONAL: unrestricted HTTPS egress (disabled)
# ----------------------------------------------------
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: audiobookshelf
# spec:
# endpointSelector:
# matchLabels:
# app: audiobookshelf
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP

2
audiobookshelf/pvcs.yaml → apps/audiobookshelf/pvcs.yaml
View file

@ -11,7 +11,6 @@ spec:
storage: 1Gi storage: 1Gi
volumeName: audiobookshelf-config-pv volumeName: audiobookshelf-config-pv
storageClassName: audiobookshelf-iscsi storageClassName: audiobookshelf-iscsi
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -26,7 +25,6 @@ spec:
storage: 1Gi storage: 1Gi
volumeName: audiobookshelf-metadata-pv volumeName: audiobookshelf-metadata-pv
storageClassName: audiobookshelf-iscsi storageClassName: audiobookshelf-iscsi
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim

16
audiobookshelf/pvs.yaml → apps/audiobookshelf/pvs.yaml
View file

@ -9,6 +9,9 @@ spec:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi storageClassName: audiobookshelf-iscsi
claimRef:
namespace: audiobookshelf
name: audiobookshelf-config
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz:3260 targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config
@ -31,6 +34,9 @@ spec:
- ReadWriteOnce - ReadWriteOnce
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-iscsi storageClassName: audiobookshelf-iscsi
claimRef:
namespace: audiobookshelf
name: audiobookshelf-metadata
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz:3260 targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata
@ -52,10 +58,13 @@ spec:
accessModes: accessModes:
- ReadOnlyMany - ReadOnlyMany
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-nfs
claimRef:
namespace: audiobookshelf
name: audiobookshelf-audiobooks
nfs: nfs:
server: truenas.local.gwg313.xyz server: truenas.local.gwg313.xyz
path: /mnt/tank/media/audiobooks path: /mnt/tank/media/audiobooks
storageClassName: audiobookshelf-nfs
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
@ -67,7 +76,10 @@ spec:
accessModes: accessModes:
- ReadOnlyMany - ReadOnlyMany
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: audiobookshelf-nfs
claimRef:
namespace: audiobookshelf
name: audiobookshelf-podcasts
nfs: nfs:
server: truenas.local.gwg313.xyz server: truenas.local.gwg313.xyz
path: /mnt/tank/media/podcasts path: /mnt/tank/media/podcasts
storageClassName: audiobookshelf-nfs

0
audiobookshelf/route.yaml → apps/audiobookshelf/route.yaml
View file

0
audiobookshelf/service.yaml → apps/audiobookshelf/service.yaml
View file

11
apps/harbor/Chart.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v2
name: harbor
description: Harbor registry
type: application
version: 1.0.0
appVersion: "1.10.2"
dependencies:
- name: harbor
version: 1.19.0
repository: https://helm.goharbor.io

19
apps/harbor/templates/iscsi-secrets-sealed.yaml Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
spec:
encryptedData:
discovery.sendtargets.auth.password: AgABfPv3gVBdRs8k9LLTBHhm2sk5lzcXxE4aXf3TI8dMMLGD4l2yI++zEZgh+k4f3abht7To1vtqOSzu1GQc08dWf/q0YgZmUJNuLS0z5vdvSn5RcM5NGMnB6y0SvXQVbSzN5cRg+oBLuwSHJPeF7k82BglOmZSxNLUL8fdNJvDj6ntr62oFaaiAD5D2UCy+ezp32yB9dD0C2F1isU4fyGgA8a0UYQvRbgurQUpq1dH5WWtS9mW7iH0oIhHOl4HUIfO6EGrinvnb2Wne+fgKWbfxwoMonNdo3uJK872OZ5qyvlg9fWMTHb+n10RuTB2z0jt8NdAfDVllnxSeNQaAzMu+cCIQejKoegWua0OC+Tx7smDkOUbkETRHrajy3mDDk88fqJ0s5uN0XmIT8F0ee9tzI070whtZkS9Ku5Gp9waj7ZA4TbawQ0AuVxVQTgGvPxL2A5eGXW6EHGb1RqY52mI0FLzcKXowSUj0PzOHgyWtfkxcyI5oDfLUNg7MxRtLLZspMm/wZi016M1JKlCQa3yGeHTNKkqDGc4oqEdkUPQyW0ItrdqtHT5Jb+9WARN9POMMxiYB15MRdkbXGPYJ1DsIDpDOZvBrKrQCr0DvDa664cXjaS9WWkV8ioSQvqoA3XkMZfmk+uSVC+rxIa/EveJgzfaUEW1O09mJvptFHKg1jMzTPF1UANLOeNQ8WNWXocqEfRaK/GPNTXb9fgUGeHmL
discovery.sendtargets.auth.username: AgA3mX964n6Uo1j0ZDcwHoo3aNgSTomDaqLQi3+Io0E4siQUHsYhBriAyG5yIMijR8g48FY/1x2hg9LVBtDq4C5GNIHDeiJx4B4+q2DV6o5EPSX6STfXKvRl1sv7tuJ0K5zQp0u1eaJ0pN7CGJBFPEQV0U2yslhoi+r/olY8MA+R7oyfsKeI34I1apOowovfeoijGluYNnfuWiKV23dTi+cANq/box34l+ssuCHb4P1UJJc0g5SoGCz9hYkq+9JsCN/pWmqvTp6RZICY3EeKl5Qm87ngZKTHdk0B06Xtq8oyMPIKkGbqeDViTHeGVhSp4i8u0QYRA1tiXFc+TQ13IZTcA92+NkNl4ZWoAktAmMUZhuYLh0zUlxOPHZXgNBDuZDprlQM+/wkOd8v6alOXU0aAm+hGycP7OdHf8IbE/3fb+zY2lTf87SO7keNJEaiXwOZpsbFshWBZUjlXvoF0tFoboDvn95XMkta8VTXR6BfBnStf9IhP2s8iI7DuYUwAxWd4FH/4xR8V0IOS9P/UhuswaHVtYqPn3ZI1oGVXat0EsW8uhrsiU1uOScFlKao+mhYGRhQLayaYrea30z5TcD4NdAe1/BVKTi4A4FoHhRgbpeKPuoOgn3HIRDHBfrmsrrF9htvB9DDhZ85K6wPVCKcNt9v92x6hb/uTwd/i2AZyDBAStCRgFuqVX68onI6ym41c9a5LInE=
node.session.auth.password: AgA7wscGesv+gwpCsrjK69M11vA8k/ewivb4p5dhbbqxj8XckNe/tPJLwWjFegv4eN0mlCy/kHwqqVDrAkjot1enOAxqUhmiodPqHmUMLnJYeShrwkQ4WJJM73/9d//gNSlKJZL+ow5XT0N/GWAnhuoFRm571OaVFFVTaxVjQTSzV0OITVynoEJoVJs4gSQP9lM0lZbDras3P1UgFcq9BsphWC8vfCsi5rXEJojoDLck/otXKlRvd3XztKoWV74bfeiH5O4MTZvjj5BBIKpr7A8mp1ILJ9E+3wlsmwY5yGEnPcuDBWyi5YcdQxWmwU782BqeUZt8fZo2ITBN3NvYDsKah8I/ItaAt2Zm6JERMNlm4aXPqbDvYHG4KupOQjkixckbSo3qQB+oKUkOyJJRulj5HNySOk4BnrNA4f9oQXAO4Q5tQZYj33UXgYittDswkEpBHqTf/VpNuQ1Nuu/1oqCdVQXELZ9tFNOGFdE3XiYGMQi4Fz0HsBQ8mZwcIMARWb7Bp454DVT6LZ3E6rv2xJQYQ9SXGnHKEd+vZZvlkie6ZBCRWc0r+n54rq0x1PQ8WCpGV9zuj9UcTdT2C2uAAScEHkjyBg/o9o4TS7XVCE5IKJqLAHpq0MwPOzog+Nsrx8oZSuy3nGlBWOR9Rm9YtzS5+xmDZLHoAaHzNTsTxCVjdZdO9K2jUBea5yQd1TX5Vqha+SOTbz/w8JoANfZW4ZAO
node.session.auth.username: AgBKUrioCJQXNkz5y5rKILyN7JvJ3koVUAgZ5RqekMxrvjO7I7FuCZ2yspPizHCxO+gTQgBg7nlCEZ6x34SCfhqIr+Y01YXRm81EQqYxk4wAyjwxPwK3DpFsU+ADYCAGiB7Lzxdu76cE4cZ3BMpCLKNOcPFjGWuDhUmtOtU2JT0kKKeGwGn8vEEHBca+7nwJYlqhNdYm5cBS6oH3rIc3GzM/fQyAlxS1SNu9KbxEImR2Ew19fXeEsNjGb8s2tF127Q9KG260dCm1f+wWVhwNsgfarXWCmFgmSonUa78A/huWGF/wG9QQvWbUyHSJyzyNSmtcPx1Nhu4W8M7jwSpo8NHAvnXTDwyY1UmYaUIvXisDxtcbZHtpDMbkg8LKXsM3z/N3zT9q1WSbPoKIbj2vinxrHXjzad2xQ2neqIgQrdPSv2dIwoy/alZrrFBjkaVV97HIbu7uVLnVForrzt5rAPmcY/Q1nX27bfNQ8UrshZvHxKmv4vymbVu2GoyOkb5ziVpxmvdKK66A1zUMZGEEMLqfcEhpZAgn1zMaIsiWOS2HZ90D9kg7RlK5djHzpCSYtGwKr8y7Nta87SYpTk5lxcRRu6S94+47z1O+rxGwWLQ3mcShh5tJljqSiJ7Z8a2QVaQzn24uobUpva3YcXRnktlO/VLkPcu2Pgbb1ZWJDEWzlW7IEc8qOBCyOoZUTNzwQNjtM0JShR4=
template:
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
type: kubernetes.io/iscsi-chap

37
apps/harbor/templates/network-policies.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: harbor-intra-namespace-allow
namespace: harbor
spec:
description: "Allow all internal Harbor microservices to talk to each other cleanly"
endpointSelector:
matchLabels:
app: harbor
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: harbor
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: harbor
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: harbor
spec:
description: "Allow external traffic from the shared Cilium edge proxy into the harbor namespace services"
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "80"
protocol: TCP
- port: "8080"
protocol: TCP

74
apps/harbor/templates/pvcs.yaml Normal file
View file

@ -0,0 +1,74 @@
# Harbor: Registry
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-registry
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-registry-pv
resources:
requests:
storage: 200Gi
---
# Harbor: Jobservice
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-jobservice
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-jobservice-pv
resources:
requests:
storage: 10Gi
---
# Harbor: Database
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-database
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-database-pv
resources:
requests:
storage: 10Gi
---
# Harbor: Redis
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-redis
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-redis-pv
resources:
requests:
storage: 10Gi
---
# Harbor: Trivy
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-trivy
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-trivy-pv
resources:
requests:
storage: 10Gi

100
harbor-config/storage.yaml → apps/harbor/templates/pvs.yaml
View file

@ -1,3 +1,4 @@
# Harbor: Registry
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
@ -10,6 +11,10 @@ spec:
volumeMode: Filesystem volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi storageClassName: harbor-iscsi
# --- PRE-BINDING LOCK ---
claimRef:
namespace: harbor
name: harbor-registry
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-registry iqn: iqn.2005-10.org.freenas.ctl:harbor-registry
@ -20,23 +25,6 @@ spec:
chapAuthSession: true chapAuthSession: true
secretRef: secretRef:
name: harbor-iscsi-auth name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-registry
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-registry-pv
resources:
requests:
storage: 200Gi
# Harbor: Jobservice
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
@ -50,6 +38,9 @@ spec:
volumeMode: Filesystem volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi storageClassName: harbor-iscsi
claimRef:
namespace: harbor
name: harbor-jobservice
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-jobservice iqn: iqn.2005-10.org.freenas.ctl:harbor-jobservice
@ -60,23 +51,6 @@ spec:
chapAuthSession: true chapAuthSession: true
secretRef: secretRef:
name: harbor-iscsi-auth name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-jobservice
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-jobservice-pv
resources:
requests:
storage: 10Gi
# Harbor: Database
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
@ -90,6 +64,9 @@ spec:
volumeMode: Filesystem volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi storageClassName: harbor-iscsi
claimRef:
namespace: harbor
name: harbor-database
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-database iqn: iqn.2005-10.org.freenas.ctl:harbor-database
@ -100,23 +77,6 @@ spec:
chapAuthSession: true chapAuthSession: true
secretRef: secretRef:
name: harbor-iscsi-auth name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-database
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-database-pv
resources:
requests:
storage: 10Gi
# Harbor: Redis
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
@ -130,6 +90,9 @@ spec:
volumeMode: Filesystem volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi storageClassName: harbor-iscsi
claimRef:
namespace: harbor
name: harbor-redis
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-redis iqn: iqn.2005-10.org.freenas.ctl:harbor-redis
@ -140,23 +103,6 @@ spec:
chapAuthSession: true chapAuthSession: true
secretRef: secretRef:
name: harbor-iscsi-auth name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-redis
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-redis-pv
resources:
requests:
storage: 10Gi
# Harbor: Trivy
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
@ -170,6 +116,9 @@ spec:
volumeMode: Filesystem volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: harbor-iscsi storageClassName: harbor-iscsi
claimRef:
namespace: harbor
name: harbor-trivy
iscsi: iscsi:
targetPortal: truenas.local.gwg313.xyz targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:harbor-trivy iqn: iqn.2005-10.org.freenas.ctl:harbor-trivy
@ -180,18 +129,3 @@ spec:
chapAuthSession: true chapAuthSession: true
secretRef: secretRef:
name: harbor-iscsi-auth name: harbor-iscsi-auth
namespace: harbor
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-trivy
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: harbor-iscsi
volumeName: harbor-trivy-pv
resources:
requests:
storage: 10Gi

38
apps/harbor/templates/route.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: harbor
namespace: harbor
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: shared-edge-gateway
namespace: cilium-ingress
hostnames:
- registry.gwg313.xyz
- registry.local.gwg313.xyz
- registry.zerotier.gwg313.xyz
rules:
- matches:
- path: { type: PathPrefix, value: "/api/" }
- path: { type: PathPrefix, value: "/service/" }
- path: { type: PathPrefix, value: "/chartrepo" }
- path: { type: PathPrefix, value: "/c/" }
- path: { type: PathPrefix, value: "/v1/" }
- path: { type: PathPrefix, value: "/v2/" }
backendRefs:
- group: ""
kind: Service
name: harbor-core
port: 80
weight: 1
- matches:
- path: { type: PathPrefix, value: "/" }
backendRefs:
- group: ""
kind: Service
name: harbor-portal
port: 80
weight: 1

111
apps/harbor/values.yaml Normal file
View file

@ -0,0 +1,111 @@
harbor:
externalURL: https://registry.gwg313.xyz
nginx:
replicas: 0
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 50m
memory: 32Mi
portal:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
core:
updateStrategy:
type: Recreate
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
jobservice:
updateStrategy:
type: Recreate
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
registry:
updateStrategy:
type: Recreate
registry:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
controller:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
trivy:
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
database:
internal:
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
redis:
internal:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
persistence:
enabled: true
persistentVolumeClaim:
registry:
existingClaim: harbor-registry
jobservice:
existingClaim: harbor-jobservice
trivy:
existingClaim: harbor-trivy
database:
existingClaim: harbor-database
redis:
existingClaim: harbor-redis
core:
existingClaim: harbor-core
ingress:
enabled: false

6
apps_bak/harbor.yaml
View file

@ -3,6 +3,8 @@ kind: Application
metadata: metadata:
name: harbor name: harbor
namespace: argocd namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "10"
spec: spec:
project: default project: default
destination: destination:
@ -11,7 +13,7 @@ spec:
source: source:
repoURL: https://helm.goharbor.io repoURL: https://helm.goharbor.io
chart: harbor chart: harbor
targetRevision: 1.14.2 targetRevision: 1.19.0
helm: helm:
releaseName: harbor releaseName: harbor
values: | values: |
@ -49,3 +51,5 @@ spec:
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ServerSideApply=true
- SkipDryRunOnMissingResource=true

4
cert-manager/values.yaml
View file

@ -1,4 +0,0 @@
installCRDs: true
extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53

15
cluster-issuer/01-sealedsecret.yaml
View file

@ -1,15 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
spec:
encryptedData:
api-token: AgC7jVHCCMGqv2ZcLxU13J2icxYM6pLCpy9ODRFtEZpjY4MGmja+ScRs00ziY8DeH9Ahhrc21VYTTZAmw1bCesHIys0y19KeXbO5HudWbSt02792kT5sPsjlNdkZyXT0Qmbz3i4OPcH1V1+oXJArTuicoJkAiVg05jGPuIcYM2zDaMvMjk4cq7L8PYc/HAusXlHI/ggozPqmohS4ACBYvsUvgyDEGAvwW0vFRjHb1z3IxyzVtbDdgae8okoQWCHlKRTeFRReB1AX9wml+kNpq2SeElh/5Grdiz4MEr8PsoKUIJg3n+KqjOFgHX7I5gDW7LQv2+W66sYzd3GFF0g6MUs1EjznX35J/e7uYSm3ERtomSIFx3FFx6fFXuN5QkCx79MgKZxP8F/PwBdusc8tDHocgK8V2hvSjxIU2J74rjcMw4ZUqwFvlZa0xAJcUAlkFQrN/b7ldlwQYyzsXhPyRIvIGvGSmBabq+yHE4nyjCVezy28h361O3zB2kCJUXi1k2rbD2+NI1Z+25q6JyRgnUelnfzyiPFJTKlFIiP1He1FC441OPjXILYhuaIenm0w9GQKUt2ndNJng4wRtsCPi6PcGHUIOjiT8ErZTkN4pJmm4/bRYPXumS9J0sTPNr2z564fsZjRpyCD97BJuntnXRnWxQRVbMb55f99Zu2j5jziEDegg6aCsXRLoATHLsBFlK5IiC95cMpkaAbY5FWwCCp4IMLkiPWGlR1dnCbBgF2P4NtxihNW9cPC
template:
metadata:
creationTimestamp: null
name: cloudflare-api-token
namespace: cert-manager
type: Opaque

16
cluster-issuer/02-cluster-issuer.yaml
View file

@ -1,16 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: gwg313@pm.me
privateKeySecretRef:
name: letsencrypt-dns-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

12
harbor-config/certificate-harbor.yaml
View file

@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor-cert-nginx
namespace: harbor
spec:
secretName: harbor-cert-nginx
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- harbor.gwg313.xyz

12
harbor-config/certificate.yaml
View file

@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor-cert
namespace: istio-system
spec:
secretName: harbor-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- registry.gwg313.xyz

18
harbor-config/gateway.yaml
View file

@ -1,18 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: harbor-gateway
namespace: harbor
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- registry.gwg313.xyz
tls:
mode: SIMPLE
credentialName: harbor-cert

18
harbor-config/harbor-iscsi-secrets-sealed.yaml
View file

@ -1,18 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAeJ3ODG8BmuWuPNj9VRVGJdi68V0NMTAdhF2Nhk8soW+l742UnEQNneZLEg2MBM4iHOit5Nsjw/0YRm8Yb8loTZInIDIXCi6LrP1NX58zANuoc/K8lovHL9BxwSeucfs+/Jh9vfM6tvuFExFz+yHeYhlufWSBkZIqF7LkX/yR7H1Yc5r4hXCJ2lDd/0TDssN8CjrIZ/2R/8rhKB7/14KfHifV/bXVwXUMtevXvbeEqeJxPPvRPb2fX6D3rrlbOLBnWBiRr4pLf76QrKG5ZgRiV2iXOKHfP3JBO5SCh5ftK8qIVgmAt7TcnEftzp4R6z6BvD2s5UNtUdzXSuwBuGW6Hc7jR8KszoziLI4LEVfU5YZtlc4U2NYuvrWUfzl7WB4c15saqr3ZK1jFxfzTQE4CPfY3HD4mQR0wQvzpDFrTI57sygXG5mRcpePnxu62i7rmx/RUSMAY6kt00YnrnSTafufdcFBA+RbFcJ7saDiidhC1R9nmanl1R2bOh0aZN6c5GPfGcaAvP4CqSVmns/e3s3Csm3OIMaKB+D3adkcMT3iDrpmaoN0eSCYFFKeIzUApVgEWMOWGoGRfeomAzJbpqwhfLecNkOAH2jgX3OTDYuKxik1oAwNOlH7s9ogTXtALG51x7brH1Hfcp5J36v0g+dZV4k2/z4V1R4GbQ9HvKiIA/zWDjZXUwh1/Jmf/n1J2tgK4DFnOpfA5+Hi27OFtQ
discovery.sendtargets.auth.username: AgAUXQyptx3bktJI+I6jvViwYvq1tETgA4z06HqAF9sCy7FA/tLnhmaDFOJBlsUUZdxKvybpL4gFfibfEGv0hrVb5yPhf2CZGPRnWEjqRBTzKwmtT8eeRnkR4WxNx/bsJhlNr3p1EAAVYJqot4qH6FuFh9zG/rwzAaLT883/p4HCGPf0vgCQmQYOrKT1tNVb7+hvDWLTkA+A45R86SznapYMT+awIHRO/ePngMYzpwmnBw82X+z7QubLSZyqEzyBoF7G1Bst81aiSlCeip/BWgS///EAvqvFTUMMHkRn48Qm4S4qRHepEJD3jpk28PcF4hs06e3NluEmxJ6cr7ejtFMoSu0vkw5FHHZN3U5YoafxvC8hc+5TotkFs4KIUnAsgFwTn68w7qwjmClUtFoughW3Ku5+7DEd1Klw1CBqSO7kURZI/777kyfcoEeXmkXbRzr8lOfvJoaMrHUsR5v9RZrsvWiuhXJjOdfVGw5p8RL137E4MxPwMAdlCW3Ry78AJnSAaIn+3Nuv0+lSpB1LFGGiuDPR5hKfA/dKX+FqFFF1CMn7q/DrLlcBlkjUHLR5sg0IBc4EReZLLa02USNwsisTkiQo+Wm5rwZ0ZvCCHOSmJjbLsbmqzSuAf5ffVcnEk2OWjxzZoMB8+d7HRqXumrA7vKK70sTpSNoMR1UuL0Kfgm8wvKvP3Fqd0dKEb/etLaGvL0RJ4ek=
node.session.auth.password: AgANvpN/nYqlyN7mZyIBE9aXRrOiINOTurXYDSwI9N9rc2SwBKvtUC9kvDE/5MZaU/Itk2SK4vFJEKuLkmomeyk9BFJJ0V3tqEDklgvGG2EMSt8Xlj9We8ujWnrN4GYSb047F3b0mBakczxcRNiJisPkvq/XyYrBVCgPPJqVhJIYKXjSXcthd1Jfd3kJzbippjCykmupRTbz7/Vk6QtKmQXfEcPDuOLPCaF/gFL2/3vVachJh7zON62lKCkuHE7QTeIEPFOCJib/oDSi2TG4ts5u8h+uTXoJCBpJwAGDhHly6cOOAiXR9BAp2nbprRb193Ga5aOGmR+qXmjQdMc3dLiJnWpMmGo0tbl5JD4bUOi/E9VFzOprKdGeYlGssGOTdAtmlrnKvaiSS6YiuCvFMFsHdo8jyC45dE4LNuiOI3MX6mkyLEGOYStiS8e/HzRPg5AGLQsuD33RVKE0+IpPGys4ScU44k+jclpcdS00eXI+ZSEfSUQA8di8rXgZfrJLvuVtRFCTjx3HA8kb4J68nHEdBeXJJEQp9Nx/Tc1ic/Iyi+Br/4Pw+UQHI3YYkUfwWaBuCqxOX5Yedcy3BHqxkdCARNVB9cRBcfFMhJJnS6WVaCgXa0qzZLt7RqutVCa7jtCOmMK3PiU4q09ML4OqyIg/HV+c2OMCJG9nBKL8wtE0Huz1ZNWDgFIWybKA4an1P2cULiMAMNQHGPrvL+o9v9CO
node.session.auth.username: AgA+bt5d5wiAHDmoV5fJExQIUFFy+WmJFFmZY5/WnulzC+/SRxssz/MtikNv8nkFdtvPfTXM57ic2SwPfSXULyQbDY/Kiwi0UejaC+9lN+weCKhks2UgaHYUtv3Inm6xLMHcvfxrwUERrfx7U70vl60WP3CYQ91l0d3fxbbRByw3TZuTZkuYnGmCsfJK0q+hd7GCa8cSxMvUf32MbRrVXecxsBKB4dtsMz0kHiZaH0wchmzWV/mBmAHV5oqkTyk3rAKZHd8D9uqy23fUr8BV6e5hSF67JicCgn94gJq8Z0hrDnu93zZl+mCFnkwPk9uA1jAuQOptHNdXEkZSjUKXFSp5pG5hgxCmwtJNBxUiZDc7IjPETCh/BzD3WLHIzfYAqW7LxDDr9IKlUEf5CUeBw2CULCq9wIaRhXqiJmV36XmMlAGJt+J2SCCKUbhKsJfyHL+PG19gDv2f75bcWc3U6646Pn5b3f0X+eJ9wIyW2Q1cqxo0yZJ+kQ3M7/ABOQfZBYoafi305fE5byecWBgz91ZrXDG/lXGat1rZBVpZ660iIZ9YvCHCC0Vb5LNEPwsfgodUnp1lXoSq8Fm6ggfLhKLL2JrlJhmou3fHsnovNmqTC9wJ026iGrwFNE8nRKvniK8aujK8IHfklodDSFWC4h/IpJf9oLWw8li0a4Ll/s0msFlWq+GABYJZW9CA0br0tp4Or8PwUwM=
template:
metadata:
creationTimestamp: null
name: harbor-iscsi-auth
namespace: harbor
type: kubernetes.io/iscsi-chap

39
harbor-config/virtualservice.yaml
View file

@ -1,39 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: harbor
namespace: harbor
spec:
hosts:
- registry.gwg313.xyz
gateways:
- harbor-gateway
http:
- match:
- uri:
prefix: /api/
- uri:
prefix: /service/
- uri:
prefix: /chartrepo
- uri:
prefix: /c/
- uri:
prefix: /v1/
- uri:
prefix: /v2/
route:
- destination:
host: harbor-core
port:
number: 80
- match:
- uri:
prefix: /
name: portal
route:
- destination:
host: harbor-portal
port:
number: 80
timeout: 30s

26
istio/istio-cni.yaml
View file

@ -1,26 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-cni
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: cni
targetRevision: 1.26.0
helm:
values: |
cni:
enabled: true
chained: false
logLevel: info
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

50
istio/istio-gateway.yaml
View file

@ -1,50 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-gateway
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: gateway
targetRevision: 1.26.0
helm:
values: |
replicaCount: 2
autoscaling:
enabled: false
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
proxy:
logLevel: warning
componentLogLevel: "misc:error,config:debug"
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

43
istio/istio-istiod.yaml
View file

@ -1,43 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-istiod
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
project: default
source:
repoURL: https://istio-release.storage.googleapis.com/charts
chart: istiod
targetRevision: 1.26.0
helm:
values: |
cni:
enabled: true
provider: default
sidecarInjectorWebhook:
disableInitContainers: true
pilot:
autoscaleEnabled: false
replicaCount: 2
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
podDisruptionBudget:
enabled: true
minAvailable: 1
destination:
server: https://kubernetes.default.svc
namespace: istio-system
syncPolicy:
automated:
prune: true
selfHeal: true

9
istio/istio-peer-auth.yaml
View file

@ -1,9 +0,0 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
annotations:
name: default
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE

13
kube-prometheus-stack/certificate.yaml
View file

@ -1,13 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-cert
namespace: istio-system
spec:
secretName: grafana-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- grafana.local.gwg313.xyz
- grafana.zerotier.gwg313.xyz

19
kube-prometheus-stack/gateway.yaml
View file

@ -1,19 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: grafana-gateway
namespace: monitoring
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: grafana-cert
hosts:
- grafana.local.gwg313.xyz
- grafana.zerotier.gwg313.xyz

11
kube-prometheus-stack/namespace.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
# istio-injection: enabled
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
app.kubernetes.io/name: monitoring

20
kube-prometheus-stack/virtualservice.yaml
View file

@ -1,20 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: grafana
namespace: monitoring
spec:
hosts:
- grafana.local.gwg313.xyz
- grafana.zerotier.gwg313.xyz
gateways:
- grafana-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: prometheus-grafana
port:
number: 80

12
linkwarden/certificate.yaml
View file

@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkwarden-cert
namespace: istio-system
spec:
secretName: linkwarden-cert
issuerRef:
name: letsencrypt-dns
kind: ClusterIssuer
dnsNames:
- bookmarks.gwg313.xyz

18
linkwarden/gateway.yaml
View file

@ -1,18 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: linkwarden-gateway
namespace: linkwarden
spec:
selector:
istio: gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: linkwarden-cert
hosts:
- bookmarks.gwg313.xyz

19
linkwarden/iscsi-sealed.yaml
View file

@ -1,19 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: linkwarden-iscsi-auth
namespace: linkwarden
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAo6dvx0sb5AklRqs6kLDp+Axa39HF9VvbRmiAqTb1aqS1pmpkt774c6X5B0pVM9Tkz5XANdPriEzpKcBsPLCuBRGrXAjIrzdao6RgXS+11zLx4rnIhw/HUTrFcsbPC1N3ilxICu6y/1pr1alOrtoRa9azKN0R9LoCuM8+T2ea3w7NHjLhxeIGnOe1aOsZQ1Dp3cZQbHiajSGZW9kj0NquJAvVq+tpFNIYDwo08YtOPvGa0jKiZCDq1a29t8yMUY7YLKpEDIibVtFU+OkpiK7TW/cTzURO1Hr+bH3WdLsB6bcQjrtnD75vxYGLTXbjNTjWtkolsZ3tsvR1FVr1iELrXooMrtsEDEum7UyNOf079pwvLMFsz+UrM78bE/JEYzm9YowfBdvOAkvqkwZq9MiJq5heAi1kMgE1p5LPHZGTtVKTBXxwdFRM3qZWRl82nTI+nVAiTqNDP2ZCHvsEOTIIgxb6zSvEcQ1Mjit3PnNh9KmiasGX454S1vS7TROwLsjzubWaMoS3ADN2DSV1uh6pe7/lfn8GcfSfcyYOzGZcgVFWeQoBMXPG+3HsFfidQU+DLdovdqw0DPsEYK7Crvhskz6thfERZDYFMt2RIbsTUeo46SyqhiMuIetmVcvvomgngUM7rclS86B3bMnrXwjkYBznaYBw9+XrUBAoaMChAPkVGT6JKi9hF9cd5R3mfPkvjphKWegyYQlYvyjvG93EN
discovery.sendtargets.auth.username: AgBcERjX9uRVG5MsS6ZALQax8BjEtmfnNuyMMNw5P3Z5Y/ktHQJPY533u2nDaRYp/Gu7EaREQ50UpJ4X93TbbqCHG11N6KLnhxYO1UhlOV3ZJhWvvfKjGF9328uuJdN1Kgf1kZIaZ28bTBQqKFuYCkQzxTuQc5rmXov9uwHFJkcn1+eqHfHMNoBT5L7ljFziLstK11s/WlVpVseMfvOL4nTtLRckAn136ToDakYXX3jJnw/f2ZQADwXN5am53+B24Wcu+ugZxCbESKMQ4qCJc3VAkv+5809N6UPvCKXe8by1J8L6RUZH1ax4bUGci6rEekSl9dEuSaKxMuUZ8dwPf5lMOvGwCm0LvfMqoMFjonb290wU4UgLwVKK7vkoh0ZCBLRkX/zl0BaUAdtcUozT88ZeFfSi8Yv5qEO5jLXb+oUQOID/7PWxyFh0AH2ct/b7utGK06m6HXZnEjOb20tTZw6W16OZxTd7qwGvj6JLznLZBeJGDNeg2AjCIBcBsmA6ocI4pMOpSlAfGWZuvYnRPbov32QEP+zB4aqDk7cRAWUATIs0ES4HK/COpah7k2M0PZ9/YOhWgYfRFKWpHdeB2CUDKRgT0Hyi3xx6HBK0o4S/doBQmaPJq3GsjpVLLaqH6W+KL962/VMSx1QXmcn1dUGT1Qs6o52622dD8WawLIuazRl0pkteckTuEsbxVFms2+nfQUzyihZF6L01
node.session.auth.password: AgAk19CA2EtTgSPRgzD2B7Zbw58r3+rlVyOEkxuMUvWlULqsWp7DSUFcIySH/2kCU4XkMxZOLQiuCdIx7ccBx5CRKFrVAS1L/2L6tZGeLc7NfI8M5Ka8HFy4K1X75yBBd0KiUHn0VEkwyinfDTzSK66+ZYhxgYlBviyhjB+1ieSBTaoXZcJ2AsS9ZsHYmUniro3wr2v/VvmsC2Tgx2TYMpBjC6KWxTJW7QNEMMrBOTnaaYrYDGFe9/as52amuM0Qqygb6bmSp+QEJGUohVgk1dpLFTHubUxMM3aA8UVAh8Ual81DXmBsVUQEx+IuEpNRm76UXlW7Iod5yi9zDWA3Lo4AzdPE112CYwQOR5lf7jqVSyLdcVrweFxY2J8Yh3hPVoM8P93HVGUlatwIlSJXmApfx3TeGvZ7gi1xIfKCpsBlifLCOxLIFE7IghcumDw20lFamuEgXX2iyqbtCgcbibjYbS7NflfjYq5JXx8EwKS89Zqdt3UdsJcvWskO4i0ouXzLxERy+jnRHGtNoUrgziYbkSRyzSCTLIcypn80HA/rZpZc1ZuQYTpJF1JO05QI0pz73U58Tf/gWf/rnwRVtoZmmGZ2tKl+HG0oqlZNEMdrxLcERQ1zEuXXoaSaRm4bbSfhzVfYVyLNA3O+T4EXm4jWY9v7bMHitn+iyfVFTCXhitoIc10F/ZcYHT5rb9cuxE2R5ivqxnDKc0ldbU2JU8Eu
node.session.auth.username: AgAjBMKyXteIqLgPraY9U7n5NzsoWvyi5jVyz0M7i+StCVp2BeKaqhxNMpmxQ98EhAflhh4A/DeLsQueDAMSv2v9So4WmwTCHFRVKxUgLoXjAgzttlsaMrItmIuzGEy5Kx22MkDN5K25PJ2ZelGzY6FUy7LYzJtHLZvU+vZaLKpraw9RrqGHd3M2se5e5GalzIOI3h2K/5Ljs0VfggZEy9wjZvGSeLTPVMXvCtAExAll8wZ5j1U78ddG+rE2Ox0SwB7aF5BqK9f+calijYHNxyCGwoh35T8uCJELIG2GVXIifNvFtLX8vv/si7d60ptoPd1kxcKgCV5mJx1mE7FfeTrFFuqzZThsqwOzfFAoEbcPlE+CJOsJm8DnWlXxHicK6DMaN2LIxk9hMvns8tcr/8VURwZ/8yU9Z8GvEG8tP8zAMc/RP5ZysQIDYAA2EZGtsVrynWRo6K82u5I1axMcwEt0oslQyHrJpmLZv/AOBdjWsvWV6lT7Sv3PlUuqxsw1IRyjokiro74kLNgvTlgluiyhRHb7mjzREZzHoKSYI/6Yzx8xNoLZM2y0VA6NTHHFOorXcxWSeoG1eTynpuJY6jQma1Ie3bN9ohEwoV0trvqotaxku1meJAmZUJTzJ3AkrO43XGMYFYkQfuF8wmEU0Yp1GOtNMKhoa/GnFobnJaviJz8RL6aXUek1Y8LV0s9fhyCxWyuzJxpBUDrm
template:
metadata:
creationTimestamp: null
name: linkwarden-iscsi-auth
namespace: linkwarden
type: kubernetes.io/iscsi-chap

47
linkwarden/linkwarden-deployment.yml
View file

@ -1,47 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: linkwarden
namespace: linkwarden
spec:
replicas: 1
selector:
matchLabels:
app: linkwarden
template:
metadata:
labels:
app: linkwarden
spec:
containers:
- name: linkwarden
image: ghcr.io/linkwarden/linkwarden:latest
ports:
- containerPort: 3000
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret-linkwarden
key: POSTGRESQL_PASSWORD
- name: NEXTAUTH_SECRET
valueFrom:
secretKeyRef:
name: nextauth-secret
key: NEXTAUTH_SECRET
- name: DATABASE_URL
value: "postgres://postgres:$(POSTGRES_PASSWORD)@postgres:5432/postgres"
- name: NEXTAUTH_URL
value: "https://bookmarks.gwg313.xyz/api/v1/auth"
- name: NEXTAUTH_URL_INTERNAL
value: "http://localhost:3000"
- name: NEXT_PUBLIC_DISABLE_REGISTRATION
value: "false"
volumeMounts:
- mountPath: /data/data
name: linkwarden-data
volumes:
- name: linkwarden-data
persistentVolumeClaim:
claimName: linkwarden-data-pvc

22
linkwarden/linkwarden-pv.yml
View file

@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: linkwarden-data-pv
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:linkwarden-data
lun: 0
fsType: ext4
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: linkwarden-iscsi-auth
claimRef:
namespace: linkwarden
name: linkwarden-data-pvc

13
linkwarden/linkwarden-pvc.yml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: linkwarden-data-pvc
namespace: linkwarden
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: manual
volumeName: linkwarden-data-pv

4
linkwarden/namespace.yml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: linkwarden

16
linkwarden/nextauth-secrets-sealed.yaml
View file

@ -1,16 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: nextauth-secret
namespace: linkwarden
spec:
encryptedData:
NEXTAUTH_SECRET: AgAiZqiSowOJZydmFCxo3EdntZXJp0P5nRucT6N7XMCY0dq523tFYjCU7N+e/DbAQzXcCEF61Bm0E9d37CtlMkgboQbgsrZbTX/Hym1RfECusu0QhLiRI0TLw7/FghFInV4IA133xddBGGN55sQL1VXixK1RWrhF3LCUvchld2dOu6BWZ4QoG8t4Ma+p2vMpC4tfWK8SM8RAurNPLI2E2P7p/RavSFTC3kd7Dniuo6SVbgp/ey4W4qn7R7kb4KD7UyGDB6CW78uNBKI4wqbAhz+LhOdvVizgF99qdgt9hwwd97OIWRQxmDb+B1NjQMdAIy5cv98Zmb0TTR1farefJ2WrzaKLfnWE7Pl0NYTuSrVgl7NYan+Q5k50jiFow5OfrmFXJjcz9quIKjbgGmVDaKi2yyhgbQLUw/LwM7RZJVBTweh9ECcFSLhnjXmJu9lNpLiWlkwKbV8tn+OIxn6SH9lXcuRWIU3DAQ4TNEwwtVe9GRGqDbDQ+uRiElvgsMzmNQHkir3c57YT7NSABaW4YA+W8JMU6pZ3pxmwmg+bwwG64Ej4r2+PtkH+gmD/BqIajo55zUHEm2/Nz7P9wsSEwqRCXh5U5J3Wg8T/p20yjdHMHebsenYb+M4xYOHtUDMbsoreDe0SWVpRoqaxuRBByzhg12ZwBoULfsI4563kBJzxJGZaC712aeuLS3Ln6VwVVgWHYtPzhJqBMb1783XZdV5JIu5vNA==
template:
metadata:
creationTimestamp: null
name: nextauth-secret
namespace: linkwarden
type: Opaque

25
linkwarden/postgres-configmap.yml
View file

@ -1,25 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: postgresql-config
namespace: linkwarden
data:
POSTGRESQL_FSYNC: "on"
POSTGRESQL_SYNCHRONOUS_COMMIT: "on"
POSTGRESQL_FULL_PAGE_WRITES: "on"
POSTGRESQL_WAL_LEVEL: "replica"
POSTGRESQL_ARCHIVE_MODE: "on"
POSTGRESQL_MAX_WAL_SIZE: "2GB"
POSTGRESQL_MIN_WAL_SIZE: "1GB"
POSTGRESQL_CHECKPOINT_TIMEOUT: "5min"
POSTGRESQL_LOG_CONNECTIONS: "on"
POSTGRESQL_LOG_DISCONNECTIONS: "on"
POSTGRESQL_LOG_STATEMENT: "all"
POSTGRESQL_LOG_DURATION: "1000"
POSTGRESQL_AUTOVACUUM: "on"
POSTGRESQL_VACUUM_COST_DELAY: "20ms"
POSTGRESQL_LOG_TIMEZONE: "UTC"
POSTGRESQL_LOG_CHECKPOINTS: "on"
POSTGRESQL_LOG_ERROR_VERBOSITY: "verbose"
POSTGRESQL_HOT_STANDBY: "on"
POSTGRESQL_ARCHIVE_TIMEOUT: "60s"

43
linkwarden/postgres-deployment.yml
View file

@ -1,43 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres
namespace: linkwarden
spec:
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
securityContext:
fsGroup: 999 # PostgreSQL's default GID (postgres group)
containers:
- name: postgres
image: bitnami/postgresql:latest
ports:
- containerPort: 5432
env:
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret-linkwarden
key: POSTGRESQL_PASSWORD
- name: POSTGRESQL_PERFORM_RESTORE
value: "true"
envFrom:
- configMapRef:
name: postgresql-config
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: postgres-storage
volumes:
- name: postgres-storage
persistentVolumeClaim:
claimName: linkwarden-postgres-pvc
securityContext:
runAsUser: 999 # Ensure the container runs as the 'postgres' user (UID 999)
fsGroup: 999 # Ensure the filesystem group is 'postgres' (GID 999)

22
linkwarden/postgres-pv.yml
View file

@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: linkwarden-postgres-pv
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:linkwarden-postgres
lun: 1
fsType: ext4
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: linkwarden-iscsi-auth
claimRef:
namespace: linkwarden
name: linkwarden-postgres-pvc

13
linkwarden/postgres-pvc.yml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: linkwarden-postgres-pvc
namespace: linkwarden
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: manual
volumeName: linkwarden-postgres-pv

8
linkwarden/postgres-secret.yml
View file

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: postgresql-secret-linkwarden
namespace: linkwarden
type: Opaque
data:
POSTGRESQL_PASSWORD: dWtGbTYyOGR2QnpKQUpLWGVVdUs=

12
linkwarden/postgres-service.yml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: linkwarden
spec:
type: ClusterIP
selector:
app: postgres
ports:
- port: 5432
targetPort: 5432

13
linkwarden/service.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: linkwarden
namespace: linkwarden
spec:
selector:
app: linkwarden
ports:
- name: http
port: 80
targetPort: 3000
type: ClusterIP

19
linkwarden/virtualservice.yaml
View file

@ -1,19 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: linkwarden
namespace: linkwarden
spec:
hosts:
- bookmarks.gwg313.xyz
gateways:
- linkwarden-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: linkwarden
port:
number: 80

13
istio/istio-base.yaml → management/platform-apps/audiobookshelf.yaml
View file

@ -1,22 +1,23 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: istio-base name: audiobookshelf
namespace: argocd namespace: argocd
annotations: annotations:
argocd.argoproj.io/sync-wave: "0" argoproj.io/sync-wave: "0"
spec: spec:
project: default project: default
source: source:
repoURL: https://istio-release.storage.googleapis.com/charts repoURL: https://github.com/gwg313/homelab-gitops.git
chart: base targetRevision: main
targetRevision: 1.26.0 path: apps/audiobookshelf
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: istio-system namespace: audiobookshelf
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ServerSideApply=true

18
infra/network-policies-app.yaml → management/platform-apps/harbor.yaml
View file

@ -1,20 +1,24 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: default-network-policies name: harbor
namespace: argocd namespace: argocd
annotations: annotations:
argocd.argoproj.io/sync-wave: "-10" argocd.argoproj.io/sync-wave: "10"
spec: spec:
project: default project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops
targetRevision: main
path: platform/default-network-policies
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: argocd namespace: harbor
source:
repoURL: https://github.com/gwg313/homelab-gitops.git
path: apps/harbor
targetRevision: main
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
- SkipDryRunOnMissingResource=true

2
management/platform-apps/kustomization.yaml
View file

@ -10,7 +10,9 @@ resources:
- cert-manager.yaml - cert-manager.yaml
- monitoring.yaml - monitoring.yaml
- nfs-subdir.yaml - nfs-subdir.yaml
- harbor.yaml
- forgejo.yaml - forgejo.yaml
- audiobookshelf.yaml
- yopass.yaml - yopass.yaml
- tekton.yaml - tekton.yaml
- navidrome.yaml - navidrome.yaml

7
metallb/Chart.yaml
View file

@ -1,7 +0,0 @@
apiVersion: v2
name: metallb
version: 0.1.0
dependencies:
- name: metallb
version: 0.13.12
repository: https://metallb.github.io/metallb

8
metallb/config/ipaddresspool.yaml
View file

@ -1,8 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: default
namespace: metallb-system
spec:
addresses:
- 10.1.10.50-10.1.10.100

3
metallb/config/kustomization.yaml
View file

@ -1,3 +0,0 @@
resources:
- ipaddresspool.yaml
- l2advertisement.yaml

5
metallb/config/l2advertisement.yaml
View file

@ -1,5 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: default
namespace: metallb-system

4
metallb/namespace.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: metallb-system

46
metallb/values.yaml
View file

@ -1,46 +0,0 @@
metallb:
controller:
enabled: true
speaker:
enabled: true
hostNetwork: true
podAnnotations:
sidecar.istio.io/inject: "false"
tolerations:
- operator: Exists
securityContext:
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop: ["ALL"]
# keep FRR disabled GoBGP mode works fine and avoids NET_ADMIN
frr:
enabled: false
configInline:
peers:
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.3 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.4 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.5 # Talos node IP (optional but fine)
- peer-address: 10.1.10.1 # OPNsense LAN IP
peer-asn: 65551 # ASN you set on OPNsense
my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
hold-time: 90s
source-address: 10.1.10.6 # Talos node IP (optional but fine)
# router-id optional can omit or make unique per node
address-pools:
- name: default
protocol: bgp
addresses:
- 10.1.10.50-10.1.10.100

1
sealed-secrets/values.yaml
View file

@ -1 +0,0 @@
fullnameOverride: sealed-secrets-controller

7
security/namespace-policies.yaml
View file

@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: secure-default
labels:
pod-security.kubernetes.io/enforce: "restricted"
pod-security.kubernetes.io/enforce-version: "latest"

10
security/network-policies.yaml
View file

@ -1,10 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: secure-default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

12
security/rbac.yaml
View file

@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly-users
subjects:
- kind: Group
name: readonly
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io

18
woodpecker/iscsi-secret-sealed.yaml
View file

@ -1,18 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-iscsi-auth
namespace: woodpecker
spec:
encryptedData:
discovery.sendtargets.auth.password: AgAXwKZ0NHUvgJVsV6yb7qFx/HlLXNGkQCRQh4u5PyVG3BJCIyJXBbvmRMDHSTpzJPsaWD4q56ZBhGsduNSJf/oBttS3wNNdEtv0xLcWL1umOntkEv7uus9KT+ig3TmxiYgzCBrdD2t29oFlVosJWFOmBCdh2IcYfnZSBCDQJz2pHlC/6cA7wn+ykPXYKurxBs6MNiUx7cSBLZuWcdvXtouJ/8wZkARZSBdppk2vGzw7pqXzVLN8HyiiM8Uf9Zz6ShTHDuvtFAbiyeuTOVa+P9jmQ+y/2iRZf2DCE7rLDKT04xQZFrHaCGHHQ7ynrGQBLN3d8oVE6iDdacZiow4txEWTbxJ0pbDR7m0T0Nk04Xfc2MLyhCJhR6AGR03aMFd4DJYLnqzFHFoK//qvfFpNwj6hcSPkqzCEliaSeCldLM3aoTw9IPc4lGMgrIHefNzucpYlYMJhxc/OvEmXCi3ZxT7fcE8oYasswjtsDfXzAKsJA2tjzIwJiab+kJyXXyDsmWnF+CkmCMZWspHafICorFSObPsSgAm49+c17gwCprl+VKZf1mEl/g+iFRM5XKqlD50nUvx1my6VHRqaKowxGKxv2m87urhPQYvRCwApzHsoVK3OR01Q2YwjyPneAbZomwY/P+yixlGXDTQx9oxrYvm1Qt95OFvGsI4I/VIgUBkLJqsVDYz616w9ljGViyh/udNezgvXw4Vz1taRSMjR6EeF
discovery.sendtargets.auth.username: AgAYnEFgZ4zi8mmqMLNAQP6e+Y0re23os1wbu5Xj3gDm+3qLyK1JzzAeeHHVyTqU27gr12ofVqKUqOMb/aXNGjA5Jzn9SgWrWg9SbLxFiV6sL1s9LhQUJ0708GXcLwN9bdU8pjiEhO3eh8RYoH1+mP5aHy7s+56xmZsiIzP6Vk8+WI38bMXBy2jIhTZHyFxABVtBb6eBU+JPaGitOgkoi6JCyUmsZbV6GzdJPD/H2wZJBxG4B5rKDdVgpBtaQyPPmKSI/NheqQgOneabS3Dyeq7SgP0bxPq9tTU6jEHsvKOOigu6px4Tt0hx0BZZqOFFsMQAtU3ymofVyNZg7F2Uf6NEuRNgI6GUv7Wykv9H4ZjPffrI1OPmEBC/o84ThaGi4161gXcL/+atvQa/RkVvRou7iRG3oLM4qQWVDStanE7+Jq0cATFdXyFWCfXZ2/8TftadQfC5oKmdkOjvOGtPJgRZMA8lNogScoFZtCprioOjKvEeirjBBmbGUC2Uc8eEUkAIlwernimno6y3Z6prlK5nzK+HKI0EWSFQxYG69vtGgzxvJP4G14FwfJKl3Za84iZoC5OGld18JQ6b4qDphrxHU4K/mE8L99YpzrahdECKATwSzmKU6seJq+TrbYIzkWqPpV/GxSh53kIbPPi+CeK0xpFtuOfQ75lxiaGcbwt1QVaLuQzgKmjDgRMmNXHYAxOFJqnmawI2DLaR
node.session.auth.password: AgAJfFaVcDzIUGbDIRlCiz3ROdtm80nDwLcYKzAwfLDs8Gbcq7o1EldWtArR+zEss40va672lWdIhUO46mT+l2NDLJRvdCCHfZOxmU058ba5G81Hd87kpd4Kz/jyNgwBV8VNjSVE1v6oJKlmj1gnSJwRYclgqTXcmhP20gQKEtONnuDC6SZkFtjQBCP5//Kt9LBQrrXIJHe6DgNlqsqLtXA26RKBRJlt7H+tu6SG5u9HZ0rdz/jpBymESihVUpRBp3v98aG69Vaa9xWIPAivtsvJUURlSGu0raN3ipvq0Fk54eWAbRmqTkC/JJVrRmZwskfSOU+DET8kjU7h7hA/5Z2NTqkjKNXmL8e1nn3ZWAI7hnf1wFcvRrqlVIiiRldr+IsT2wXp9d8jEHr/qwVl0emxoiXHVKjLnvhH+FKpt7GfCQa/1K11RGw7vkfEIWF6lvcECHcGQbf+0kuFWsCBwwQhQem+KqbHo2gmsc73XUVUVkkyBYG5FIzH5MuYBf8nHI/mt+bUSdT+4YU9Qj13pgpURX1bzIgXYMHWgtfWdxdy/pHsPZiOuBOsMkD1qUoDuV0/nc13zS/gsSFhdX0mdyXixQgXe9R+XzzuWmgV/mO+/6AsnkvD4KnTt5cv1Ft+f3FUqoW4NViigZ9URlX4xZ7zI/UJhXiPm4RCjNNZrefDua0bRzESTxnakyKe1XeylPQ+hEZRdPU0lYLrk3b3GZdg
node.session.auth.username: AgBz3hk4xbhTTSigqw2L0Truwe4iFkNCtbWRaJ7Vm9huG69RAyOg63+fg8UFk1rmmECo+OaEadexUS6JIo+g8yA+Mds6KE3kr+3kdDOOMFdXh40VtJGHYlqzeyRYwJ/PU2BHWPZi72WW9/A8bPFfVQMzIEinnRpxtV1otRmdfZSXviE24LPiClkCzbwPGZPDW56wtfuxVJjuQyhAJ7ote8F8yV7N7q7lz6tBTYA58pfKCbs4KQdK39h2afW3gVjevw+4kLeTlzu5Ynj446ZIUR7pID1SHLVEVXXIW7rKZ+cs4EWB34M1jJL/T/EAOYsh1vaTwxhoDR/98awbnZZ/Z6SWoARwBLDjk3Nez4N2FqzFhn1EjYiBYym2Xz7c+kwhyDApOY0D7ESK0W8efg1RrsJgVKhFO4AO/oI6/MYxur6ZdI5/xReJirmhN9HNf7tvZ+wwo3sW37H5v6FhcTCG6/bXsTYj8vZT/JmrH9AmeqDzKfi4NkWhfG7RC+2NQxA3X8OuXdbPFWv0YriL/yk88eUzi+orS5O2PV7o8a4c7BplV6K6XiWlV+1oUsfpF9r8t1x+AQj4G83aGLgYvpmSinpMbmO33bEor+QY+4s1Epa/VEF84grc+It55G+7DjE3o5couWVre96HDXqN9falXt2yvRS1YdYSzh25mY33wnEWMDBMUBR3NnkYU/3GCLz7dpeYwZbBtayzdmli
template:
metadata:
creationTimestamp: null
name: woodpecker-iscsi-auth
namespace: woodpecker
type: Opaque

6
woodpecker/privileges.yaml
View file

@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: woodpecker
labels:
pod-security.kubernetes.io/enforce: privileged

41
woodpecker/route.yaml
View file

@ -1,41 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: woodpecker
namespace: woodpecker
spec:
parentRefs:
- name: shared-edge-gateway
namespace: cilium-ingress
hostnames:
- ci.local.gwg313.xyz
- ci.gwg313.xyz
- ci.zerotier.gwg313.xyz
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: woodpecker-server
port: 80
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-gateway-to-woodpecker
namespace: woodpecker
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: cilium-ingress
to:
- group: ""
kind: Service
name: woodpecker-server

16
woodpecker/server-agent-sealed.yaml
View file

@ -1,16 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-agent-secrets
namespace: woodpecker
spec:
encryptedData:
WOODPECKER_AGENT_SECRET: AgBmeIkpWWnoPxHam7X6V5/TTI2pu3DwzuvWySQuWewf1N72hl6Ljw6aFJEU6Mu02keLB2ECPPBg+kJ5Bh/d3rMPllSW/HyuepjyrnaWBgNkAWObjJ7oOmqVR1TlXORj8cLz/vHkhq75Cn0FLQ+/2FlAxX436YEIB92IVObdx6J006UM+HqlRn7TXXuD168pd/3L/DhQdGnyBcDH7u21o1nLl+gZvqe6L6v/Jz6Z5gDi9B8B7zwldQfGY/BKv5fKOJixqisXfteV+BbAzce4KgI5djqKUoaOOy8T7Sm3uGYckxtEkA+mMcX5SUKInsFRnfpTfbMZU+2GofpHKbHFLYiqsZ8HG6/9P8EZ3DBsPrGG/xyccnH/Ylwj+jJfkrlDPo2i42rqB4XwES5sxnUAdF8W9f8QTK/4wlbglUqBJf/g74hNrYIVw+YikGpBYHaRInYLXnsXReaIyhvG0UK9fjotTZJ5ptta/OZ04kvXqoxXGojBPtZc/0n9vI0ynbIlHCOO7dRawaG/Iefg7cCZvpzBCyL5dd1gtCXUYrPoFrn1UFc9kD6YzRtiPO4AnTZjXXuEMiVsyjFBeewiq9b4QchXO5zY/6DhnLv8HDCJwAZD3HiCFJ/O6wOzBTdqCmPXMpVGbJOOy3Vm8W16uyMOkwmYeq78oFQxMhkfnLReh3svdPGKV9Mr9sn+7NmPJmZ50TEuXF6LUGc0AcgDw9MZ8JsURp8wrA==
WOODPECKER_SERVER: AgCrhcONkNTohkwUFIQBi5KO2RLKN18CNNjPkEobv9KxTrTY38aPKltuMC6hxBeR05Wt7ySRe5aaXfLOKHs6mO16qzIaIkyduQxpfJge7BJOKtCzjzhb3sflUqT6XY+wXJp0kN9wVFHEwplzBZc0gd0rUD6Y4wIJcUjIGVcdu0Hx+nujfpvEdxB4b7qIDGDyED7yL4XKAK4XmLD3lDjuVpTGAoVOuISqAdfRLDEJRQnpsQxvYQTJ6CizkSLL+K4R7STcWZtxOw0qQ3Y71eoiaW/G+aT64Tnu1fvCX65T632Ij4yTxz6pdjAltegpvmLh/6zdLTBloIn+jEHcKqaXyTjtTDUIsNkdJYArSB9NdjTQpBZBbSEvxMQx4ebyi1O3brhJVa891fcEAXOWqDM3lgK/FQQCIjKoX1DQ0OWfJO8oa/pJyoV6ZOz7ivv/dOqsHP1WsuEM19Y3oNNnNVgH30rShNxt2Vnz9z1BIOoEe0HZ95lL9AcuIgS2i1pNYvjkn2cm+o0CQa3Va0flFINIlXKmnoISbQKXqOzySn2U1uuunjyoemh2bXgZ/8FcAFbX0AMLkeLeqi51tBU0QWIxXDIVNlCMEufLFnCl3S2Yj0r8Q6zKVq1U2bZqn62IHI9ffUP8Nvs8oNVhIuq/1QGx5MzXIXcI3KVBZw+jKrHWEmOOhxfkTEw/Wk2fZocJ7WjjNlyBrOiYAtnHAl/v0nSELLjZPop4tG76
template:
metadata:
creationTimestamp: null
name: woodpecker-agent-secrets
namespace: woodpecker
type: Opaque

23
woodpecker/server-secrets-sealed.yaml
View file

@ -1,23 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: woodpecker-server-secrets
namespace: woodpecker
spec:
encryptedData:
WOODPECKER_ADMIN: AgCSpZeEAzVMXCbLYckS+g8pn3QktiWERwIDGM5NRZPCGNf6o2zdeqWbnqXWhKVe+if7T9XVxPE8uGfNzpnJI1rSW9LQft9+2RsFq6MPxAE8yNW4kCfn4oQ8J6sI3noHGIR4PD/KqHidiTf+f50VGxAwUD5/as3mbvVgNnDEMNiF1mTD5g3PBBbUNQTPpAAmIrcoz8KwmQZNBqTeKQ+wBwkMpRSR1QcwcYryms8fnWjOxf0dGEEb0OMQk2h7OG16n+e4QOrt6Hs5vDv0APSMqsXBSk5AVEMVbjgoVyZsetG27L6JrTmg6KwQZut0LNLaPTHxGKQoyc0KCAJBLkUhnWu+lwdP0dY6vx4N6A+Eb1kkSJedHzZo4YfnDhQNvNlbSxHRmIlNNylsB7Z4RuwmX/ze06izGxPyZ0NXa2+2ehZZdMCcycFgeP6kzR8fyD0T6tPljWVVfMQ7PEBaCps7rf8g8W3zPzFuMeDkC94bRaIF14ooAwKVH2JIBcWiGFoUaLXu3TG2SUL0yOMmv7ovSX+iJtrtwzXBAvdG1TgmcugEQ7DwOVVNdpRbGx9F3OzYoVjx+ZKQMcbh53nPNIA2WEZ03sObXK7TOrrvidP/+fsncXQbH5GO9Y5/riyseMmK8P6Qc/S9Iqyi/z7FVRVXRKmhjCCsbuI+FcH56iUiSR+ysd968mDGfMCg9VfLlCP4N/37kLyndRg=
WOODPECKER_AGENT_SECRET: AgAk9p+U9ghWmPMkUvFMO/0UtvgRvEa0wFOJuGNIDus77GQP2ybMEN31t92aJEYr02o3mLPLPfF9nuT6L19o+/mjZ1ZTe7oszbrF/tM3cAwXH87iSpkOT7o7qnWOXobXN5WWftTbzABJlmaW0Dgaci7ycgSSlTGdUwNizaSlYwvUovGqaBsHRczCgKAQ8QGHLMraQphQLgqYKaK0KZcgQH7tIxuAg+USFJDf13+SOw5H2t05U4pH4SADOBovxv16GssiXxNJYJ1CCyxu1+BBgpLAStCU43vthJncBocANiTbsnsAXmsDVosUegRQWDRwxAygwSexboww1J5e8TG+ypMTa8T/MVPZn2+O1nI+LgRPh5uaISDeXDSTAHXVH5aodettqD+3kIc5F1FE5I4a8ylmnHkeQKVcrmqhiKBZ+7WcDMA0yS806zQ6xp9iOy2P5UYM9sjtD5ZsDnGgjFq42jF9pVnsx85l31rFSoXJZWOcciTOkigrXwMA5kuB5q76JHZXCWVFwy1ow0E6JdEfRDsWpJ2vR6DOPyYSSajgektNQdfa6YaSP+itm+hatzVIIvpFzbU5ZK2OLr68VNWdPqUfz5FkUG2zI9jGE8qGfWUTQ6LQk96GEzyd+Tpk5ZDkUg6lQAO6Op3J8TGaObYpuST+AMr1Vl7ghBuULFqSH5WkQw4YdsOkDrgt5BYR0vOIjmrNTBJ73ET6Ry0PpxTVhGOjRJZVRg==
WOODPECKER_BACKEND: AgB73OxahHCk4EajfFojKnZvy58C5/u/X2oWCd5RYN/wf7ylXBM1nnVBcziWt+MDQK66ullXLrb/Z6M/G6XvWwrFK4ZGM3N9kRtF+P3R+cq4pNhilr9DgabAdPTbD3fSsPFlX4lb52MILymHWvjsVFXJ/WMYa+yYiSkEU3oOGJID1+McDBiQ0iE6Fxd+gEpBbzCwyry4REsn37KIOFY612nZ9QKmD2t3VwHvwPrAQXMqVrS1kLumbiYvxYVrni69NMYtUFZBCXH2pwQnZVIb+zADVnIa3N3hQNzhzaAs5cvu9kedE2ZMb9zXDe33kzcIWbBh2PcROLMztiPNqclwthX/QDlEbpOv0zyJOHyTmtPMxMoGgaTOkgAfMRpVi49V9w+Mn4MG56KTsHNSJb6iv5ENjI5Mpm3ItGKvER8BrtBjWY5AJnBApmaNp07aKKjXtMZB4jSFhnMSE04zO9NFEHZQVJppYcVgDSY8oaiSqcK69Ywp6XKksHMxpDmGMGmI9QRyvISN4V17UN1pJxHXREGG2SAqsG7AIf8g0SZF6dGcVf7rv6BmaEsELBnHFzC13MuTBvnLXoCLLSb4OYEaye94yyKIqVKDNRXJYeNZeBfBji04eMv4RebPcfHydgsWDfsv1rsBQDVYj1BAOFE26LcOAjBWDfYUVDJyaTTCp+a2FIyEeFKRIzuYy5q+3atMASRbpfhS+LTlzq4m
WOODPECKER_GITEA: AgBxPWElw0PJuGrd7T0Ni6udPbVlp9gdg1YeXJbzoUKXCET8YD+b0uX3MC4YsQDWfKJuLRrk6QksTAhFXpk2bGcf0RqOay7mk3LhaLGkD6iUz7TU1KRcHV/xb4i/mXK9PzR2JnrgVFgdRj+NpMZx6sI/gnl9BP/Jrt70YT7K3Za0HNppOxNnyACk2SlKdBHq35A5fMiFpGSwRP6zScGfaqXqcCNkEGDhTxKsZ9rZ/2+GydEm1Eu0hCQReRdDLNLSLUcHUWLAq/Na8cZl/CPEMViGlEw0/zE18++GBdwNwZbnRPgiDhJwN63Hs4gVXiRLHHaubBzoofio2cADEmMlsFrtYyBLdq+1LS0mReo69mz9uMTKZkZHws/oAwAYF3793h2mWIj7f26QW0ac66QcLqwWDpqxabtSp7BO7Za6j2dRpSOMDnYtOV/0hBwtPOGsVGUjnC/uJCl0DH2Mv6jwbMXlRpmeq8eSu1KJmP6WUBUq4yqCUxixwHk4dhx7EdP25mcPU09XvqxDTWHnhkJi1jcM2pUjt4+H/t1aZfCxqS6mzY+VlaBm3a8F7Um77+JOQQr1XZU6Q1R+vVt7vnvWYKPlq7yZSrwndw4VbyFcz3kqnQ/Oa96sqbFAbZ0rl1mX9QUnarE9iNlX+mOjEpcCeMUyhOPZKvZijgaYl5W/iAjXpq+ElKvxrRVwBpHZdoScLR4p9/gf
WOODPECKER_GITEA_CLIENT: AgC2bdhqgcqFUd6rHWQhe24WZOFtEt4sKoQNkiaPDjGVqwXElvJk2sM7V7XbBBvTlqPvbDRQHDv0fiJAbxofDTdEF6/0+9H2jXByG73q9tj6TY684n3GYdgS+JKv24qwZ+/f/Lo+vpeiVjVhL85sXtznyu84FvOH32kICynmU0jifOFLvBvQAFs5OrY70NPqVx3we0Wea1gx3sKez5t3RK14wjiIN0KNUMOkNDEwCQpb/8C0n06aCtQ2htBCs/tYzzu4dOyhbQjy1aCqQjte6t4NiytL+VDACQluAkLZUwLSLfgxR+QlIlC9ud05mupQ6hBFQzNk8/omieAlqi3yAeRIb4xwHETKBCZq/Kj2sUi9Uu6hlXGhh/gcxBW0Y9UZqtbZfQBSt7rUBKNsxyw7f0Q8rYJzqtgoatq/PBzZFXF/1LqDCsqDratDTfNIi4tw4P7qiVw5r1fq2qHpa1OEay5Zz6f977LeFYktuI+0LMk1t6nYIMXm5yCPPU3n7gEoi128YSoKLAD/TrwDAjnL87I1GTwQ1P6yl0Ujao19Duhr6KcZQhvD456EhLCat/uBVMfqXkVa2AQE/qS07nTnX9dBDQSZaeje45Y2WyIMZpbzEEtBWtHefkoATF339XzkibUWSIgnbsrcTSirTQoPVqSqpI4EA+jSTTdGqLGtGR4bnmJY7QKTiLPMyZMYXmK0DTaMUALbDrbGyehnDWu771I20cF34YSmALCqyOLe/ovlD8kO5qZl
WOODPECKER_GITEA_SECRET: AgArFi05msWmqQWPNrf/OBZzJ+ABoibGDg7J5cmWbhZ1MTHDXDfogc51E0bQdwE1V/KdnS1jTp/PTpgElrbzdwon7QbhJmz+kipeYIDK5xdnM8PocRR/3pOaWHXqe2ibYFKRA2KsxXEVivNY7Q1QTBMreXOlE0zjzgIekNHqRbFRj0uMn4bdoxnddG2Jt1kCE6AO4edYd9E/AJLcHpX1/heEzKBQIfawCeyAjnidN9WXyVxCNPPsHF/NjZhijj/MKjuKzly9EQmXaPu3R6hY5yk0OTzQhn9C7Z4uD2rjmxre18h1niy1+aC4PGZu2+ksb8TvDCONJQU2lzO0cNSj5ate4h+3iKwpoBW9lRfDQmlv2eH+qIoAiVtn7zgdG7itYWaBAp/ASZSzzQ15ABXP0CT5zZ03GUo8v98g8G0DwPH19QkF+QjLxb+Mhbzza0K8UsYT37yB/rrVqXyu+1FeYqmh8pG2diqIN6nJZ87ZigglT94qYl608fHKy+c1QZtfFEn5Gfs/AtztH6wlIF77FlHGn9/Iz/UuFN5Phdu9RQfFHYbBitUiOyoDpzxNCefJnmTLOpvM3+gV3mJp3Fj2PRPnyNrcD4DnJgve/148WpzSIjtnMGcNMrf2pJqfgpKgHszv5fTeP+l4z/rtUt3TbLGee7cn/pDcMTwbYwkwSLrVs+VM2pu+v8VD5ei5P0iDK5gahfIqQynsxrLK22NRexSfusqQiZQrRFISl3iUBMGhIDn4XP9pjkisLSL9L3PGzEoYYull/JP+nb4=
WOODPECKER_GITEA_URL: AgAQTCI9ssMTT02cYcOxdqpgX7hl98jkDMpKMtQKeebowBAAncdmPtG4ma59JW1zHkqGy4sdcGY+mZ0ZnD9VAAaN4CMHSqMIezo2CZ7/vMnnFOY8+/kZNFyOGn3R6i1dDby0AZ2ACx/xF6QxVaJBb+7FPx0JMhekh9zBLgHbtjkCYWP+qOBaruTQWXT+UJFCfuhQaiAHUOZ03JJkg3pF6axuHAmRhf4/a8x1xyn9xBsvBpdWXZ61IRb+DiV35CJ/dEd9p/ygQPOe7pv3e699visCpTTCeIK1ztcYtZku2LAFW4kEGS+8Xab31uAGnEv7YqCntk8YUM7RSfzE+1r01baYF2Wb0kMDMY4AZHi36MPBvatNAx3fZj1AX7vGc+HChXUeuvZYBQ4qDZFglkPJPVHDYeNEe18KAEjXqqN7xVplPBkAaBqf0i+ywpv/x69GW83I5kj/f58fr3uDH6D2Hiq1odvKJJvsKuKf4BnLnCIvWifWqVn5A9SRO2/dc19QHKHLBvD36fPrk0xU6CvjPKFDoIo8u7rGGrDYlfYZEspk9nRWdmyh0Mi4zk/Ec+MXpTUqL8yiEfTC6Lfv/UmX1UFJeYt7eOzq5m3XKMwEQcwecjKGg0GebKPcBRfEEblTG6M7/DxgkWETgBLJkIWiC0EY1waGF/9TX6TCX9Mh1iNWr1ewgepabkGdqtdT6k4k0keGWeuEExWfCrIAIRt6dBkXuEJdhr35
WOODPECKER_HOST: AgCigyJe53A1p22O/Q44Ss7bxyGbbxZvOpRD3uXQw67ztA5Ii5cIp8StexIb+SwUwKnadKncC9iWbQ9EyhDf8H+CiEOq4q8K7Rj6cTuFJl7+BO9uuyns3cklu8Lhj8ovgft+X2F3ixLY47Lmk3X15HWkY0gkAghoWBsCHELQzEodqBh5lenkn62DjMAp87riMnjp8xRsZxqmq5vELfVgM+cDFh3QDRoo3nKwbXvFg8OSV67kawKyM2FJ4U3cYcru+9Y/65V5qjNTthRqwW1muXPqN8dCkx3EGG2bkAGqInSI1S80fJte5soTd1gDJnLIpm2OTAFQ6uGpKsaOL3WF0Tb//GsGJtTjWuoJiJ2cZo1fg0iMmOagSFdTYgjqo1ALNlUA16oLA2pZhZCCZ0Xk3Fwgs6ISipxAcklsgUyVjDi/W2PiR8KX6uz8m2aKO70KlDrasyevKLTEkqXUcw02JgFmrGBPxIlE2UKP3jLw2x7RaACVuWucbZ8S2TdIP+vfbPfBFh22QcPMTJu86lE/k3ENs1jhrztpsLCdv16cuI96TtcKVj4H0qM097l+HJd3/BMqUvuAbXDsjZIWxJWoeO8VE+La8HAv6AfjXW+zal1z4maQsIEaxSXpn/4a3+DNnIQdhEINsMSXxpu58wZB9rCdA+WTqeBG+zRRJtlPXvawO6pDPMbqcZIGyJd5Hsara0XCGGhujxK4RFFsfruAU2D5xuYS80A=
template:
metadata:
creationTimestamp: null
name: woodpecker-server-secrets
namespace: woodpecker
type: Opaque

12
woodpecker/shared-pvc.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-shared-storage
namespace: woodpecker
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
storageClassName: nfs-client

123
woodpecker/storage.yaml
View file

@ -1,123 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: woodpecker-agent-pv5
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: "iscsi-manual"
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-agent
lun: 1
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
claimRef:
name: woodpecker-agent-pvc5
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-agent-pvc5
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
storageClassName: "iscsi-manual"
volumeName: woodpecker-agent-pv5
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: woodpecker-server-pv5
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: "iscsi-manual"
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-server
lun: 0
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
claimRef:
name: woodpecker-server-pvc5
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: woodpecker-server-pvc5
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
storageClassName: "iscsi-manual"
volumeName: woodpecker-server-pv5
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: data-woodpecker-server-0
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: "iscsi-manual"
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz
iqn: iqn.2005-10.org.freenas.ctl:woodpecker-data
lun: 2
fsType: ext4
readOnly: false
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: woodpecker-iscsi-auth
namespace: woodpecker
claimRef:
name: data-woodpecker-server-0
namespace: woodpecker
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-woodpecker-server-0
namespace: woodpecker
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: "iscsi-manual"
volumeName: data-woodpecker-server-0
resources:
requests:
storage: 10Gi

27
woodpecker/woodpecker-cache.yaml
View file

@ -1,27 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: wp-cache-pv1
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
# storageClassName: manual-nfs
# nfs:
# server: truenas.local.gwg313.xyz
# path: /mnt/tank/k8s/democratic/woodpecker-cache
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wp-cache-pvc1
namespace: woodpecker
spec:
accessModes:
- ReadWriteMany
storageClassName: manual-nfs
resources:
requests:
storage: 1Gi